From 2ee8163d9b904ebf051fca84d1e3c1645a9532db Mon Sep 17 00:00:00 2001 From: Mark Nalyanya Date: Wed, 22 Jan 2014 17:05:48 +0100 Subject: [PATCH 01/11] Add Solaris support Parameterized the OS specific options --- README.md | 79 ++++++++-- manifests/init.pp | 297 +++++++++++++++++++++++++++------- spec/classes/init_spec.rb | 324 +++++++++++++++++++++++++++++++++++++- templates/ssh_config.erb | 10 +- templates/sshd_config.erb | 31 +++- 5 files changed, 654 insertions(+), 87 deletions(-) diff --git a/README.md b/README.md index 74de5a1..a4fbc9a 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ This module has been tested to work on the following systems with Puppet v3. * EL 6 * SLES 11 * Ubuntu 12.04 LTS + * Solaris 10 === @@ -34,13 +35,13 @@ ssh_config_hash_known_hosts HashKnownHosts in ssh_config. Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh and sshd, but they do not reveal identifying -information should the file's contents be disclosed. The default is 'no'. +information should the file's contents be disclosed. The default is 'no' on Linux OS. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen. Use of this option may break facilities such as tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts. -- *Default*: 'no' +- *Default*: based on OS platform. ssh_config_path --------------- @@ -86,7 +87,7 @@ ServerAliveInterval option in ssh_config. Not set by default. ssh_config_sendenv_xmodifiers ----------------------- -Boolean to set 'SendEnv XMODIFIERS' in ssh_config. +Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on Linux OS. - *Default*: false @@ -110,9 +111,9 @@ sshd_config's group. sshd_config_mode --------------- -sshd_config's mode. +sshd_config's mode. The default is '0600' on Linux OS and '0644' on Solaris OS. -- *Default*: '0600' +- *Default*: based on OS platform. sshd_config_port --------------------------- @@ -146,9 +147,9 @@ PrintMotd option in sshd_config. sshd_config_use_dns ------------------- -UseDNS option in sshd_config. +UseDNS option in sshd_config. The default is 'yes' on Linux OS. -- *Default*: 'yes' +- *Default*: based on OS platform. (Only valid on Linux OS.) sshd_config_banner ------------------ @@ -184,13 +185,13 @@ sshd_config_xauth_location -------------------------- XAuthLocation option in sshd_config. -- *Default*: '/usr/bin/xauth' +- *Default*: based on OS platform. sshd_config_subsystem_sftp -------------------------- Path to sftp file transfer subsystem in sshd_config. -- *Default*: '/usr/libexec/openssh/sftp-server' +- *Default*: based on OS platform. sshd_password_authentication @@ -210,9 +211,9 @@ Specifies whether TCP forwarding is permitted. sshd_x11_forwarding ------------------- X11Forwarding in sshd_config. -Specifies whether X11 forwarding is permitted. +Specifies whether X11 forwarding is permitted. Module sets this option to 'yes'. Future release will update the default to be based on OS platform. -- *Default*: 'no' +- *Default*: 'yes' sshd_use_pam ------------ @@ -220,8 +221,9 @@ UsePam in sshd_config. Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. +This module sets this option to 'yes' on Linux OS and undef on Solaris OS. -- *Default*: 'no' +- *Default*: based on OS platform. (Valid only on Linux OS) sshd_client_alive_interval -------------------------- @@ -251,6 +253,57 @@ Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-o - *Default*: yes +ssh_config_forward_x11_trusted +------------------------------ +ForwardX11Trusted. Determine remote X11 client access to the original X11 display. +The option is set to 'yes' on Linux OS. + +- *Default*: based on OS platform. (Not valid on Solaris OS.) + +ssh_package_source +------------------ +Source to SSH packages. + +- *Default*: based on OS platform. (used on Solaris) + +ssh_package_adminfile +--------------------- +Path to admin file for SSH packages. + +- *Default*: based on OS platform. (used on Solaris) + +sshd_gssapiauthentication +------------------------- +GSSAPIAuthentication: Enables/disables GSS-API user authentication. + +- *Default*: based on OS platform. + +sshd_gssapikeyexchange +---------------------- +GSSAPIKeyExchange: Enables/disables GSS-API-authenticated key exchanges. + +- *Default*: based on OS platform. + +sshd_pamauthenticationviakbdint +------------------------------- +PAMAuthenticationViaKBDInt: Use PAM via keyboard interactive method for authentication. + +- *Default*: based on OS platform. (valid on Solaris OS) + +sshd_gssapicleanupcredentials +----------------------------- +GSSAPICleanupCredentials: Specifies whether to automatically destroy the user's credentials on logout. +Default is 'yes' on Linux OS. + +- *Default*: based on OS platform. (Only valid on Linux OS) + +ssh_acceptenv +------------- +Boolean to enable AcceptEnv and SendEnv options for specifying environment variables. +Default is set to 'true' on Linux OS. + +- *Default*: based on OS platform. (Only valid on Linux OS) + purge_keys ---------- Remove keys not managed by puppet. @@ -259,7 +312,7 @@ Remove keys not managed by puppet. manage_firewall --------------- -Open firewall for SSH service. +Open firewall for SSH service. Not used on Solaris OS. - *Default*: false diff --git a/manifests/init.pp b/manifests/init.pp index 938c58a..83a3180 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,31 +8,32 @@ class ssh ( $permit_root_login = 'yes', $purge_keys = 'true', $manage_firewall = false, - $ssh_config_hash_known_hosts = 'no', + $ssh_config_hash_known_hosts = 'USE_DEFAULTS', $ssh_config_path = '/etc/ssh/ssh_config', $ssh_config_owner = 'root', $ssh_config_group = 'root', $ssh_config_mode = '0644', $ssh_config_forward_x11 = undef, + $ssh_config_forward_x11_trusted = 'USE_DEFAULTS', $ssh_config_forward_agent = undef, $ssh_config_server_alive_interval = undef, $ssh_config_sendenv_xmodifiers = false, $sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_owner = 'root', $sshd_config_group = 'root', - $sshd_config_mode = '0600', + $sshd_config_mode = 'USE_DEFAULTS', $sshd_config_port = '22', $sshd_config_syslog_facility = 'AUTH', $sshd_config_login_grace_time = '120', $sshd_config_challenge_resp_auth = 'yes', $sshd_config_print_motd = 'yes', - $sshd_config_use_dns = 'yes', + $sshd_config_use_dns = 'USE_DEFAULTS', $sshd_config_banner = 'none', $sshd_banner_content = undef, $sshd_banner_owner = 'root', $sshd_banner_group = 'root', $sshd_banner_mode = '0644', - $sshd_config_xauth_location = '/usr/bin/xauth', + $sshd_config_xauth_location = 'USE_DEFAULTS', $sshd_config_subsystem_sftp = 'USE_DEFAULTS', $service_ensure = 'running', $service_name = 'USE_DEFAULTS', @@ -47,17 +48,229 @@ class ssh ( $sshd_password_authentication = 'yes', $sshd_allow_tcp_forwarding = 'yes', $sshd_x11_forwarding = 'yes', - $sshd_use_pam = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', $sshd_client_alive_interval = '0', + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $ssh_acceptenv = 'USE_DEFAULTS', ) { + case $::osfamily { + 'RedHat': { + $default_packages = ['openssh-server', + 'openssh-clients'] + $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' + $default_ssh_config_hash_known_hosts = 'no' + $default_service_name = 'sshd' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_sshd_config_mode = '0600' + $default_sshd_config_use_dns = 'yes' + $default_sshd_config_xauth_location = '/usr/bin/xauth' + $default_sshd_use_pam = 'yes' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_gssapicleanupcredentials = 'yes' + $default_ssh_acceptenv = true + } + 'Suse': { + $default_packages = 'openssh' + $default_ssh_config_hash_known_hosts = 'no' + $default_service_name = 'sshd' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_sshd_config_mode = '0600' + $default_sshd_config_use_dns = 'yes' + $default_sshd_config_xauth_location = '/usr/bin/xauth' + $default_sshd_use_pam = 'yes' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_gssapicleanupcredentials = 'yes' + $default_ssh_acceptenv = true + case $::architecture { + 'x86_64': { + $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' + } + 'i386' : { + $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' + } + default: { + fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.") + } + } + } + 'Debian': { + $default_packages = ['openssh-server', + 'openssh-client'] + $default_ssh_config_hash_known_hosts = 'no' + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' + $default_service_name = 'ssh' + $default_ssh_config_forward_x11_trusted = 'yes' + $default_sshd_config_mode = '0600' + $default_sshd_config_use_dns = 'yes' + $default_sshd_config_xauth_location = '/usr/bin/xauth' + $default_sshd_use_pam = 'yes' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_sshd_gssapikeyexchange = undef + $default_sshd_pamauthenticationviakbdint = undef + $default_sshd_gssapicleanupcredentials = 'yes' + $default_ssh_acceptenv = true + } + 'Solaris': { + $default_packages = ['SUNWsshcu', + 'SUNWsshdr', + 'SUNWsshdu', + 'SUNWsshr', + 'SUNWsshu'] + $default_ssh_config_hash_known_hosts = undef + $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' + $default_ssh_config_forward_x11_trusted = undef + $default_sshd_config_mode = '0644' + $default_sshd_config_use_dns = undef + $default_sshd_config_xauth_location = '/usr/openwin/bin/xauth' + $default_sshd_use_pam = undef + $default_ssh_package_source = '/var/spool/pkg' + $default_ssh_package_adminfile = undef + $default_sshd_gssapikeyexchange = 'yes' + $default_sshd_pamauthenticationviakbdint = 'yes' + $default_sshd_gssapicleanupcredentials = undef + $default_ssh_acceptenv = false + case $::kernelrelease { + '5.10','5.11': { + $default_service_name = 'ssh' + } + '5.9' : { + $default_service_name = 'sshd' + } + default: { + fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.') + } + } + } + default: { + fail("ssh supports osfamilies RedHat, Suse, Debian and Solaris. Detected osfamily is <${::osfamily}>.") + } + } + + if $packages == 'USE_DEFAULTS' { + $packages_real = $default_packages + } else { + $packages_real = $packages + } + + if $ssh_config_hash_known_hosts == 'USE_DEFAULTS' { + $ssh_config_hash_known_hosts_real = $default_ssh_config_hash_known_hosts + } else { + $ssh_config_hash_known_hosts_real = $ssh_config_hash_known_hosts + } + + if $service_name == 'USE_DEFAULTS' { + $service_name_real = $default_service_name + } else { + $service_name_real = $service_name + } + + if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' { + $sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp + } else { + $sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp + } + + if $sshd_config_mode == 'USE_DEFAULTS' { + $sshd_config_mode_real = $default_sshd_config_mode + } else { + $sshd_config_mode_real = $sshd_config_mode + } + + if $sshd_config_xauth_location == 'USE_DEFAULTS' { + $sshd_config_xauth_location_real = $default_sshd_config_xauth_location + } else { + $sshd_config_xauth_location_real = $sshd_config_xauth_location + } + + if $ssh_package_source == 'USE_DEFAULTS' { + $ssh_package_source_real = $default_ssh_package_source + } else { + $ssh_package_source_real = $ssh_package_source + } + + if $ssh_package_adminfile == 'USE_DEFAULTS' { + $ssh_package_adminfile_real = $default_ssh_package_adminfile + } else { + $ssh_package_adminfile_real = $ssh_package_adminfile + } + + if $sshd_config_use_dns == 'USE_DEFAULTS' { + $sshd_config_use_dns_real = $default_sshd_config_use_dns + } else { + $sshd_config_use_dns_real = $sshd_config_use_dns + } + + if $sshd_use_pam == 'USE_DEFAULTS' { + $sshd_use_pam_real = $default_sshd_use_pam + } else { + $sshd_use_pam_real = $sshd_use_pam + } + + if $ssh_config_forward_x11_trusted == 'USE_DEFAULTS' { + $ssh_config_forward_x11_trusted_real = $default_ssh_config_forward_x11_trusted + } else { + $ssh_config_forward_x11_trusted_real = $ssh_config_forward_x11_trusted + } + + if $sshd_gssapikeyexchange == 'USE_DEFAULTS' { + $sshd_gssapikeyexchange_real = $default_sshd_gssapikeyexchange + } else { + $sshd_gssapikeyexchange_real = $sshd_gssapikeyexchange + } + + if $sshd_pamauthenticationviakbdint == 'USE_DEFAULTS' { + $sshd_pamauthenticationviakbdint_real = $default_sshd_pamauthenticationviakbdint + } else { + $sshd_pamauthenticationviakbdint_real = $sshd_pamauthenticationviakbdint + } + + if $sshd_gssapicleanupcredentials == 'USE_DEFAULTS' { + $sshd_gssapicleanupcredentials_real = $default_sshd_gssapicleanupcredentials + } else { + $sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials + } + + if $ssh_acceptenv == 'USE_DEFAULTS' { + $ssh_acceptenv_real = $default_ssh_acceptenv + } else { + case type($ssh_acceptenv) { + 'string': { + validate_re($ssh_acceptenv, '^(true|false)$', "ssh::ssh_acceptenv may be either 'true' or 'false' and is set to <${ssh_acceptenv}>.") + $ssh_acceptenv_real = str2bool($ssh_acceptenv) + } + 'boolean': { + $ssh_acceptenv_real = $ssh_acceptenv + } + default: { + fail('ssh::ssh_acceptenv type must be true or false.') + } + } + } + # validate params - validate_re($ssh_config_hash_known_hosts, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts}>.") + if $ssh_config_hash_known_hosts_real != undef { + validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") + } validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.") validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") - validate_re($sshd_use_pam, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam}>.") + if $sshd_use_pam_real != undef { + validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") + } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } if $sshd_config_banner != 'none' { @@ -67,6 +280,17 @@ class ssh ( fail('ssh::sshd_config_banner must be set to be able to use sshd_banner_content.') } + validate_re($sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.") + if $sshd_gssapikeyexchange_real != undef { + validate_re($sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.") + } + if $sshd_pamauthenticationviakbdint_real != undef { + validate_re($sshd_pamauthenticationviakbdint_real, '^(yes|no)$', "ssh::sshd_pamauthenticationviakbdint may be either 'yes' or 'no' and is set to <${sshd_pamauthenticationviakbdint_real}>.") + } + if $sshd_gssapicleanupcredentials_real != undef { + validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") + } + case type($hiera_merge) { 'string': { validate_re($hiera_merge, '^(true|false)$', "ssh::hiera_merge may be either 'true' or 'false' and is set to <${hiera_merge}>.") @@ -122,60 +346,11 @@ class ssh ( } } - case $::osfamily { - 'RedHat': { - $default_packages = ['openssh-server', - 'openssh-clients'] - $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' - $default_service_name = 'sshd' - } - 'Suse': { - $default_packages = 'openssh' - $default_service_name = 'sshd' - case $::architecture { - 'x86_64': { - $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' - } - 'i386' : { - $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' - } - default: { - fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.") - } - } - } - 'Debian': { - $default_packages = [ 'openssh-server', - 'openssh-client'] - $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' - $default_service_name = 'ssh' - } - default: { - fail("ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <${::osfamily}>.") - } - } - - if $packages == 'USE_DEFAULTS' { - $packages_real = $default_packages - } else { - $packages_real = $packages - } - - if $service_name == 'USE_DEFAULTS' { - $service_name_real = $default_service_name - } else { - $service_name_real = $service_name - } - - if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' { - $sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp - } else { - $sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp - } - package { 'ssh_packages': - ensure => installed, - name => $packages_real, + ensure => installed, + name => $packages_real, + source => $ssh_package_source_real, + adminfile => $ssh_package_adminfile_real, } file { 'ssh_config' : @@ -191,7 +366,7 @@ class ssh ( file { 'sshd_config' : ensure => file, path => $sshd_config_path, - mode => $sshd_config_mode, + mode => $sshd_config_mode_real, owner => $sshd_config_owner, group => $sshd_config_group, content => template('ssh/sshd_config.erb'), diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 7918ceb..d3a308b 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -36,7 +36,8 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } - it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -68,6 +69,291 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange no$/) } + it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } + + it { + should contain_service('sshd_service').with({ + 'ensure' => 'running', + 'name' => 'sshd', + 'enable' => 'true', + 'hasrestart' => 'true', + 'hasstatus' => 'true', + 'subscribe' => 'File[sshd_config]', + }) + } + + it { + should contain_resources('sshkey').with({ + 'purge' => 'true', + }) + } + end + + context 'with default params on osfamily Solaris kernelrelease 5.8' do + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.8', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { + should include_class('ssh') + }.to raise_error(Puppet::Error,/ssh module supports Solaris kernel release 5.9, 5.10 and 5.11./) + end + end + + context 'with default params on osfamily Solaris kernelrelease 5.11' do + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should include_class('ssh')} + + it { should_not include_class('common')} + + + it { + should contain_package('ssh_packages').with({ + 'ensure' => 'installed', + 'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'], + 'source' => '/var/spool/pkg', + 'adminfile' => nil, + }) + } + + it { + should contain_file('ssh_config').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + 'require' => 'Package[ssh_packages]', + }) + } + + it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } + + it { + should contain_file('sshd_config').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/sshd_config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + 'require' => 'Package[ssh_packages]', + }) + } + + it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } + it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } + it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } + it { should contain_file('sshd_config').with_content(/^Banner none$/) } + it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) } + it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } + + it { + should contain_service('sshd_service').with({ + 'ensure' => 'running', + 'name' => 'ssh', + 'enable' => 'true', + 'hasrestart' => 'true', + 'hasstatus' => 'true', + 'subscribe' => 'File[sshd_config]', + }) + } + + it { + should contain_resources('sshkey').with({ + 'purge' => 'true', + }) + } + end + + context 'with default params on osfamily Solaris kernelrelease 5.10' do + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.10', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should include_class('ssh')} + + it { should_not include_class('common')} + + + it { + should contain_package('ssh_packages').with({ + 'ensure' => 'installed', + 'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'], + 'source' => '/var/spool/pkg', + 'adminfile' => nil, + }) + } + + it { + should contain_file('ssh_config').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + 'require' => 'Package[ssh_packages]', + }) + } + + it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } + + it { + should contain_file('sshd_config').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/sshd_config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + 'require' => 'Package[ssh_packages]', + }) + } + + it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } + it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } + it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } + it { should contain_file('sshd_config').with_content(/^Banner none$/) } + it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) } + it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } + + it { + should contain_service('sshd_service').with({ + 'ensure' => 'running', + 'name' => 'ssh', + 'enable' => 'true', + 'hasrestart' => 'true', + 'hasstatus' => 'true', + 'subscribe' => 'File[sshd_config]', + }) + } + + it { + should contain_resources('sshkey').with({ + 'purge' => 'true', + }) + } + end + + context 'with default params on osfamily Solaris kernelrelease 5.9' do + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.9', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should include_class('ssh')} + it { should_not include_class('common')} + + it { + should contain_package('ssh_packages').with({ + 'ensure' => 'installed', + 'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'], + 'source' => '/var/spool/pkg', + 'adminfile' => nil, + }) + } + + it { + should contain_file('ssh_config').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/ssh_config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + 'require' => 'Package[ssh_packages]', + }) + } + + it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } + it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ServerAliveInterval$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } + + it { + should contain_file('sshd_config').with({ + 'ensure' => 'file', + 'path' => '/etc/ssh/sshd_config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644', + 'require' => 'Package[ssh_packages]', + }) + } + + it { should contain_file('sshd_config').with_content(/^SyslogFacility AUTH$/) } + it { should contain_file('sshd_config').with_content(/^LoginGraceTime 120$/) } + it { should contain_file('sshd_config').with_content(/^PermitRootLogin yes$/) } + it { should contain_file('sshd_config').with_content(/^ChallengeResponseAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^PrintMotd yes$/) } + it { should contain_file('sshd_config').with_content(/^Banner none$/) } + it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) } + it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_service('sshd_service').with({ @@ -121,7 +407,8 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } - it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -153,6 +440,12 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_service('sshd_service').with({ @@ -208,7 +501,8 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } - it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -240,6 +534,12 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_service('sshd_service').with({ @@ -295,7 +595,8 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } - it { should contain_file('ssh_config').with_content(/^ HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -327,6 +628,12 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_service('sshd_service').with({ @@ -362,7 +669,7 @@ describe 'ssh' do it 'should fail' do expect { should contain_class('ssh') - }.to raise_error(Puppet::Error,/^ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is \./) + }.to raise_error(Puppet::Error,/^ssh supports osfamilies RedHat, Suse, Debian and Solaris. Detected osfamily is \./) end end @@ -400,6 +707,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^ HashKnownHosts yes$/) } + it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } it { should contain_file('ssh_config').with_content(/^ ForwardAgent yes$/) } it { should contain_file('ssh_config').with_content(/^ ForwardX11 yes$/) } it { should contain_file('ssh_config').with_content(/^ ServerAliveInterval 300$/) } @@ -463,6 +771,12 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } + it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } + it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { should contain_file('sshd_banner').with({ diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 5b6d3b9..0e7981d 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -45,13 +45,17 @@ # TunnelDevice any:any # PermitLocalCommand no # HashKnownHosts no - HashKnownHosts <%= @ssh_config_hash_known_hosts %> +<% if @ssh_config_hash_known_hosts_real != nil -%> + HashKnownHosts <%= @ssh_config_hash_known_hosts_real %> +<% end -%> Host * GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. - ForwardX11Trusted yes +<% if @ssh_config_forward_x11_trusted_real != nil -%> + ForwardX11Trusted <%= @ssh_config_forward_x11_trusted_real %> +<% end -%> <% if @ssh_config_forward_agent != nil -%> ForwardAgent <%= @ssh_config_forward_agent %> <% end -%> @@ -61,6 +65,7 @@ Host * <% if @ssh_config_server_alive_interval != nil -%> ServerAliveInterval <%= @ssh_config_server_alive_interval %> <% end -%> +<% if @ssh_acceptenv_real == true -%> # Send locale-related environment variables SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT @@ -68,3 +73,4 @@ Host * <% if @ssh_config_sendenv_xmodifiers_real == true -%> SendEnv XMODIFIERS <% end -%> +<% end -%> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 5d5849a..576ed29 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -24,7 +24,7 @@ Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key @@ -63,6 +63,14 @@ PermitRootLogin <%= @permit_root_login %> # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PasswordAuthentication <%= @sshd_password_authentication %> +<% if @sshd_pamauthenticationviakbdint_real != nil -%> +# Use PAM via keyboard interactive method for authentication. +# # Depending on the setup of pam.conf(4) this may allow tunneled clear text +# # passwords even when PasswordAuthentication is set to no. This is dependent +# # on what the individual modules request and is out of the control of sshd +# # or the protocol. +PAMAuthenticationViaKBDInt yes +<% end -%> #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -77,10 +85,16 @@ ChallengeResponseAuthentication <%= @sshd_config_challenge_resp_auth %> # GSSAPI options #GSSAPIAuthentication no -GSSAPIAuthentication yes +GSSAPIAuthentication <%= @sshd_gssapiauthentication %> +<% if @sshd_gssapikeyexchange_real != nil -%> +GSSAPIKeyExchange <%= @sshd_gssapikeyexchange_real %> +<% end -%> +<% if @sshd_gssapicleanupcredentials_real != nil -%> #GSSAPICleanupCredentials yes -GSSAPICleanupCredentials yes +GSSAPICleanupCredentials <%= @sshd_gssapicleanupcredentials_real %> +<% end -%> +<% if @sshd_use_pam_real != nil -%> # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. @@ -90,12 +104,15 @@ GSSAPICleanupCredentials yes # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no -UsePAM <%= @sshd_use_pam %> +UsePAM <%= @sshd_use_pam_real %> +<% end -%> +<% if @ssh_acceptenv_real == true -%> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL +<% end -%> #AllowTcpForwarding yes AllowTcpForwarding <%= @sshd_allow_tcp_forwarding %> #GatewayPorts no @@ -115,8 +132,10 @@ PrintMotd <%= @sshd_config_print_motd %> ClientAliveInterval <%= @sshd_client_alive_interval %> #ClientAliveCountMax 3 #ShowPatchLevel no +<% if @sshd_config_use_dns_real != nil -%> #UseDNS yes -UseDNS <%= @sshd_config_use_dns %> +UseDNS <%= @sshd_config_use_dns_real %> +<% end -%> #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no @@ -127,7 +146,7 @@ UseDNS <%= @sshd_config_use_dns %> Banner <%= @sshd_config_banner %> #XAuthLocation /usr/bin/xauth -XAuthLocation <%= @sshd_config_xauth_location %> +XAuthLocation <%= @sshd_config_xauth_location_real %> # override default of no subsystems Subsystem sftp <%= @sshd_config_subsystem_sftp_real %> From ec878abe2bd7fb8ca447faaca5b10e876c28da80 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Tue, 25 Feb 2014 10:41:24 +0100 Subject: [PATCH 02/11] Cleanup duplicate code in Solaris port. This code would prevent a catalog from compiling. --- manifests/init.pp | 51 ----------------------------------------------- 1 file changed, 51 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 0e3a0b3..0892c37 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -346,57 +346,6 @@ class ssh ( } } - case $::osfamily { - 'RedHat': { - $default_packages = ['openssh-server', - 'openssh-clients'] - $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' - $default_service_name = 'sshd' - } - 'Suse': { - $default_packages = 'openssh' - $default_service_name = 'sshd' - case $::architecture { - 'x86_64': { - $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' - } - 'i386' : { - $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' - } - default: { - fail("ssh supports architectures x86_64 and i386 for Suse. Detected architecture is <${::architecture}>.") - } - } - } - 'Debian': { - $default_packages = [ 'openssh-server', - 'openssh-client'] - $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' - $default_service_name = 'ssh' - } - default: { - fail("ssh supports osfamilies RedHat, Suse and Debian. Detected osfamily is <${::osfamily}>.") - } - } - - if $packages == 'USE_DEFAULTS' { - $packages_real = $default_packages - } else { - $packages_real = $packages - } - - if $service_name == 'USE_DEFAULTS' { - $service_name_real = $default_service_name - } else { - $service_name_real = $service_name - } - - if $sshd_config_subsystem_sftp == 'USE_DEFAULTS' { - $sshd_config_subsystem_sftp_real = $default_sshd_config_subsystem_sftp - } else { - $sshd_config_subsystem_sftp_real = $sshd_config_subsystem_sftp - } - package { $packages_real: ensure => installed, source => $ssh_package_source_real, From 94d8fef4bb4a760b777d79ba1fcae768036249aa Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Tue, 25 Feb 2014 10:42:26 +0100 Subject: [PATCH 03/11] Ensure spec tests for Solaris port pass --- spec/classes/init_spec.rb | 65 ++++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 44829ec..c2f1f6c 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -127,14 +127,15 @@ describe 'ssh' do it { should_not include_class('common')} - it { - should contain_package('ssh_packages').with({ - 'ensure' => 'installed', - 'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'], - 'source' => '/var/spool/pkg', - 'adminfile' => nil, - }) - } + ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| + it { + should contain_package(pkg).with({ + 'ensure' => 'installed', + 'source' => '/var/spool/pkg', + 'adminfile' => nil, + }) + } + end it { should contain_file('ssh_config').with({ @@ -143,7 +144,7 @@ describe 'ssh' do 'owner' => 'root', 'group' => 'root', 'mode' => '0644', - 'require' => 'Package[ssh_packages]', + 'require' => [ 'Package[SUNWsshcu]', 'Package[SUNWsshdr]', 'Package[SUNWsshdu]', 'Package[SUNWsshr]', 'Package[SUNWsshu]' ], }) } @@ -163,7 +164,7 @@ describe 'ssh' do 'owner' => 'root', 'group' => 'root', 'mode' => '0644', - 'require' => 'Package[ssh_packages]', + 'require' => [ 'Package[SUNWsshcu]', 'Package[SUNWsshdr]', 'Package[SUNWsshdu]', 'Package[SUNWsshr]', 'Package[SUNWsshu]' ], }) } @@ -214,15 +215,15 @@ describe 'ssh' do it { should_not include_class('common')} - - it { - should contain_package('ssh_packages').with({ - 'ensure' => 'installed', - 'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'], - 'source' => '/var/spool/pkg', - 'adminfile' => nil, - }) - } + ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| + it { + should contain_package(pkg).with({ + 'ensure' => 'installed', + 'source' => '/var/spool/pkg', + 'adminfile' => nil, + }) + } + end it { should contain_file('ssh_config').with({ @@ -231,7 +232,7 @@ describe 'ssh' do 'owner' => 'root', 'group' => 'root', 'mode' => '0644', - 'require' => 'Package[ssh_packages]', + 'require' => [ 'Package[SUNWsshcu]', 'Package[SUNWsshdr]', 'Package[SUNWsshdu]', 'Package[SUNWsshr]', 'Package[SUNWsshu]' ], }) } @@ -251,7 +252,7 @@ describe 'ssh' do 'owner' => 'root', 'group' => 'root', 'mode' => '0644', - 'require' => 'Package[ssh_packages]', + 'require' => [ 'Package[SUNWsshcu]', 'Package[SUNWsshdr]', 'Package[SUNWsshdu]', 'Package[SUNWsshr]', 'Package[SUNWsshu]' ], }) } @@ -299,16 +300,18 @@ describe 'ssh' do end it { should include_class('ssh')} + it { should_not include_class('common')} - it { - should contain_package('ssh_packages').with({ - 'ensure' => 'installed', - 'name' => ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'], - 'source' => '/var/spool/pkg', - 'adminfile' => nil, - }) - } + ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| + it { + should contain_package(pkg).with({ + 'ensure' => 'installed', + 'source' => '/var/spool/pkg', + 'adminfile' => nil, + }) + } + end it { should contain_file('ssh_config').with({ @@ -317,7 +320,7 @@ describe 'ssh' do 'owner' => 'root', 'group' => 'root', 'mode' => '0644', - 'require' => 'Package[ssh_packages]', + 'require' => [ 'Package[SUNWsshcu]', 'Package[SUNWsshdr]', 'Package[SUNWsshdu]', 'Package[SUNWsshr]', 'Package[SUNWsshu]' ], }) } @@ -337,7 +340,7 @@ describe 'ssh' do 'owner' => 'root', 'group' => 'root', 'mode' => '0644', - 'require' => 'Package[ssh_packages]', + 'require' => [ 'Package[SUNWsshcu]', 'Package[SUNWsshdr]', 'Package[SUNWsshdu]', 'Package[SUNWsshr]', 'Package[SUNWsshu]' ], }) } From ae87198e76fa25ddbfab8b665989d9dbf1105841 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Tue, 25 Feb 2014 12:53:45 +0100 Subject: [PATCH 04/11] Make Solaris work Clean up nalyanyam's commit --- README.md | 84 +++--- manifests/init.pp | 122 +++++--- spec/classes/init_spec.rb | 612 +++++++++++++++++++++++++++++++++----- templates/ssh_config.erb | 2 +- templates/sshd_config.erb | 12 +- 5 files changed, 659 insertions(+), 173 deletions(-) diff --git a/README.md b/README.md index 4b16a2a..6d04fd2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# puppet-module-ssh # +# puppet-module-ssh Manage ssh client and server. @@ -6,7 +6,7 @@ The module uses exported resources to manage ssh keys and removes ssh keys that === -# Compatability # +# Compatability This module has been tested to work on the following systems with Puppet v3 and Ruby versions 1.8.7, 1.9.3 and 2.0.0. @@ -15,11 +15,15 @@ This module has been tested to work on the following systems with Puppet v3 and * EL 6 * SLES 11 * Ubuntu 12.04 LTS + * Solaris 9 * Solaris 10 + * Solaris 11 === -# Parameters # +# Parameters +A value of `'USE_DEFAULTS'` will use the defaults specified by the module. + hiera_merge ----------- @@ -35,13 +39,13 @@ ssh_config_hash_known_hosts HashKnownHosts in ssh_config. Indicates that ssh should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by ssh and sshd, but they do not reveal identifying -information should the file's contents be disclosed. The default is 'no' on Linux OS. +information should the file's contents be disclosed. The default is 'no' on Linux. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen. Use of this option may break facilities such as tab-completion that rely on being able to read unhashed host names from ~/.ssh/known_hosts. -- *Default*: based on OS platform. +- *Default*: 'USE_DEFAULTS' ssh_config_path --------------- @@ -87,10 +91,16 @@ ServerAliveInterval option in ssh_config. Not set by default. ssh_config_sendenv_xmodifiers ----------------------- -Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on Linux OS. +Boolean to set 'SendEnv XMODIFIERS' in ssh_config. This option is only valid on Linux. - *Default*: false +ssh_sendenv +------------- +Boolean to enable SendEnv options for specifying environment variables. Default is set to true on Linux. + +- *Default*: 'USE_DEFAULTS' + sshd_config_path ---------------- Path to sshd_config. @@ -111,15 +121,15 @@ sshd_config's group. sshd_config_mode --------------- -sshd_config's mode. The default is '0600' on Linux OS and '0644' on Solaris OS. +sshd_config's mode. The default is '0600' on Linux and '0644' on Solaris. -- *Default*: based on OS platform. +- *Default*: 'USE_DEFAULTS' sshd_config_port --------------------------- String to specify listen port for sshd. Port option in sshd_config. -- *Default*: 22 +- *Default*: '22' sshd_config_syslog_facility --------------------------- @@ -147,9 +157,9 @@ PrintMotd option in sshd_config. sshd_config_use_dns ------------------- -UseDNS option in sshd_config. The default is 'yes' on Linux OS. +UseDNS option in sshd_config. The default is 'yes' on Linux. -- *Default*: based on OS platform. (Only valid on Linux OS.) +- *Default*: 'USE_DEFAULTS' sshd_config_banner ------------------ @@ -185,33 +195,30 @@ sshd_config_xauth_location -------------------------- XAuthLocation option in sshd_config. -- *Default*: based on OS platform. +- *Default*: 'USE_DEFAULTS' sshd_config_subsystem_sftp -------------------------- Path to sftp file transfer subsystem in sshd_config. -- *Default*: based on OS platform. +- *Default*: 'USE_DEFAULTS' sshd_password_authentication ----------------------------- -PasswordAuthentication in sshd_config. -Specifies whether password authentication is allowed. +PasswordAuthentication in sshd_config. Specifies whether password authentication is allowed. - *Default*: 'yes' sshd_allow_tcp_forwarding ------------------------- -AllowTcpForwarding in sshd_config. -Specifies whether TCP forwarding is permitted. +AllowTcpForwarding in sshd_config. Specifies whether TCP forwarding is permitted. - *Default*: 'yes' sshd_x11_forwarding ------------------- -X11Forwarding in sshd_config. -Specifies whether X11 forwarding is permitted. Module sets this option to 'yes'. Future release will update the default to be based on OS platform. +X11Forwarding in sshd_config. Specifies whether X11 forwarding is permitted. - *Default*: 'yes' @@ -221,9 +228,9 @@ UsePam in sshd_config. Enables the Pluggable Authentication Module interface. If set to 'yes' this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. -This module sets this option to 'yes' on Linux OS and undef on Solaris OS. +This module sets this option to 'yes' on Linux and undef on Solaris. -- *Default*: based on OS platform. (Valid only on Linux OS) +- *Default*: 'USE_DEFAULTS' sshd_client_alive_interval -------------------------- @@ -255,54 +262,51 @@ Allow root login. Valid values are 'yes', 'without-password', 'forced-commands-o ssh_config_forward_x11_trusted ------------------------------ -ForwardX11Trusted. Determine remote X11 client access to the original X11 display. -The option is set to 'yes' on Linux OS. +ForwardX11Trusted. Determine remote X11 client access to the original X11 display. The option is set to 'yes' on Linux. Valid values are 'yes', 'no', and undef. -- *Default*: based on OS platform. (Not valid on Solaris OS.) +- *Default*: 'USE_DEFAULTS' (Not valid on Solaris.) ssh_package_source ------------------ Source to SSH packages. -- *Default*: based on OS platform. (used on Solaris) +- *Default*: 'USE_DEFAULTS' ssh_package_adminfile --------------------- Path to admin file for SSH packages. -- *Default*: based on OS platform. (used on Solaris) +- *Default*: 'USE_DEFAULTS' sshd_gssapiauthentication ------------------------- -GSSAPIAuthentication: Enables/disables GSS-API user authentication. +GSSAPIAuthentication: Enables/disables GSS-API user authentication. Valid values are 'yes' and 'no'. -- *Default*: based on OS platform. +- *Default*: 'yes' sshd_gssapikeyexchange ---------------------- -GSSAPIKeyExchange: Enables/disables GSS-API-authenticated key exchanges. +GSSAPIKeyExchange: Enables/disables GSS-API-authenticated key exchanges. Valid values are 'yes', 'no', and undef. -- *Default*: based on OS platform. +- *Default*: 'USE_DEFAULTS' sshd_pamauthenticationviakbdint ------------------------------- -PAMAuthenticationViaKBDInt: Use PAM via keyboard interactive method for authentication. +PAMAuthenticationViaKBDInt: Use PAM via keyboard interactive method for authentication. Valid values are 'yes', 'no', and undef. -- *Default*: based on OS platform. (valid on Solaris OS) +- *Default*: 'USE_DEFAULTS' sshd_gssapicleanupcredentials ----------------------------- -GSSAPICleanupCredentials: Specifies whether to automatically destroy the user's credentials on logout. -Default is 'yes' on Linux OS. +GSSAPICleanupCredentials: Specifies whether to automatically destroy the user's credentials on logout. Default is 'yes' on Linux. Valid values are 'yes', 'no', and undef. -- *Default*: based on OS platform. (Only valid on Linux OS) +- *Default*: 'USE_DEFAULTS' -ssh_acceptenv +sshd_acceptenv ------------- -Boolean to enable AcceptEnv and SendEnv options for specifying environment variables. -Default is set to 'true' on Linux OS. +Boolean to enable AcceptEnv options for specifying environment variables. Default is set to true on Linux. -- *Default*: based on OS platform. (Only valid on Linux OS) +- *Default*: 'USE_DEFAULTS' purge_keys ---------- @@ -312,7 +316,7 @@ Remove keys not managed by puppet. manage_firewall --------------- -Open firewall for SSH service. Not used on Solaris OS. +Open firewall for SSH service. Not used on Solaris. - *Default*: false diff --git a/manifests/init.pp b/manifests/init.pp index 0892c37..51aec4e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,6 +8,8 @@ class ssh ( $permit_root_login = 'yes', $purge_keys = 'true', $manage_firewall = false, + $ssh_package_source = 'USE_DEFAULTS', + $ssh_package_adminfile = 'USE_DEFAULTS', $ssh_config_hash_known_hosts = 'USE_DEFAULTS', $ssh_config_path = '/etc/ssh/ssh_config', $ssh_config_owner = 'root', @@ -18,6 +20,7 @@ class ssh ( $ssh_config_forward_agent = undef, $ssh_config_server_alive_interval = undef, $ssh_config_sendenv_xmodifiers = false, + $ssh_sendenv = 'USE_DEFAULTS', $sshd_config_path = '/etc/ssh/sshd_config', $sshd_config_owner = 'root', $sshd_config_group = 'root', @@ -35,6 +38,16 @@ class ssh ( $sshd_banner_mode = '0644', $sshd_config_xauth_location = 'USE_DEFAULTS', $sshd_config_subsystem_sftp = 'USE_DEFAULTS', + $sshd_password_authentication = 'yes', + $sshd_allow_tcp_forwarding = 'yes', + $sshd_x11_forwarding = 'yes', + $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_interval = '0', + $sshd_gssapiauthentication = 'yes', + $sshd_gssapikeyexchange = 'USE_DEFAULTS', + $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', + $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', + $sshd_acceptenv = 'USE_DEFAULTS', $service_ensure = 'running', $service_name = 'USE_DEFAULTS', $service_enable = 'true', @@ -45,54 +58,44 @@ class ssh ( $keys = undef, $manage_root_ssh_config = 'false', $root_ssh_config_content = "# This file is being maintained by Puppet.\n# DO NOT EDIT\n", - $sshd_password_authentication = 'yes', - $sshd_allow_tcp_forwarding = 'yes', - $sshd_x11_forwarding = 'yes', - $sshd_use_pam = 'USE_DEFAULTS', - $sshd_client_alive_interval = '0', - $ssh_package_source = 'USE_DEFAULTS', - $ssh_package_adminfile = 'USE_DEFAULTS', - $sshd_gssapiauthentication = 'yes', - $sshd_gssapikeyexchange = 'USE_DEFAULTS', - $sshd_pamauthenticationviakbdint = 'USE_DEFAULTS', - $sshd_gssapicleanupcredentials = 'USE_DEFAULTS', - $ssh_acceptenv = 'USE_DEFAULTS', ) { case $::osfamily { 'RedHat': { $default_packages = ['openssh-server', 'openssh-clients'] - $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' - $default_ssh_config_hash_known_hosts = 'no' $default_service_name = 'sshd' + $default_ssh_config_hash_known_hosts = 'no' $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_ssh_sendenv = true + $default_sshd_config_subsystem_sftp = '/usr/libexec/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' $default_sshd_use_pam = 'yes' - $default_ssh_package_source = undef - $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' - $default_ssh_acceptenv = true + $default_sshd_acceptenv = true } 'Suse': { $default_packages = 'openssh' - $default_ssh_config_hash_known_hosts = 'no' $default_service_name = 'sshd' + $default_ssh_config_hash_known_hosts = 'no' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_ssh_sendenv = true $default_ssh_config_forward_x11_trusted = 'yes' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' $default_sshd_use_pam = 'yes' - $default_ssh_package_source = undef - $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' - $default_ssh_acceptenv = true + $default_sshd_acceptenv = true case $::architecture { 'x86_64': { $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' @@ -108,20 +111,21 @@ class ssh ( 'Debian': { $default_packages = ['openssh-server', 'openssh-client'] - $default_ssh_config_hash_known_hosts = 'no' - $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_service_name = 'ssh' $default_ssh_config_forward_x11_trusted = 'yes' + $default_ssh_config_hash_known_hosts = 'no' + $default_ssh_package_source = undef + $default_ssh_package_adminfile = undef + $default_ssh_sendenv = true + $default_sshd_config_subsystem_sftp = '/usr/lib/openssh/sftp-server' $default_sshd_config_mode = '0600' $default_sshd_config_use_dns = 'yes' $default_sshd_config_xauth_location = '/usr/bin/xauth' $default_sshd_use_pam = 'yes' - $default_ssh_package_source = undef - $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' - $default_ssh_acceptenv = true + $default_sshd_acceptenv = true } 'Solaris': { $default_packages = ['SUNWsshcu', @@ -130,25 +134,26 @@ class ssh ( 'SUNWsshr', 'SUNWsshu'] $default_ssh_config_hash_known_hosts = undef - $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' + $default_ssh_package_source = '/var/spool/pkg' + $default_ssh_package_adminfile = undef + $default_ssh_sendenv = false $default_ssh_config_forward_x11_trusted = undef + $default_sshd_config_subsystem_sftp = '/usr/lib/ssh/sftp-server' $default_sshd_config_mode = '0644' $default_sshd_config_use_dns = undef $default_sshd_config_xauth_location = '/usr/openwin/bin/xauth' $default_sshd_use_pam = undef - $default_ssh_package_source = '/var/spool/pkg' - $default_ssh_package_adminfile = undef $default_sshd_gssapikeyexchange = 'yes' $default_sshd_pamauthenticationviakbdint = 'yes' $default_sshd_gssapicleanupcredentials = undef - $default_ssh_acceptenv = false + $default_sshd_acceptenv = false case $::kernelrelease { '5.10','5.11': { - $default_service_name = 'ssh' + $default_service_name = 'ssh' } '5.9' : { - $default_service_name = 'sshd' - } + $default_service_name = 'sshd' + } default: { fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.') } @@ -207,6 +212,10 @@ class ssh ( $ssh_package_adminfile_real = $ssh_package_adminfile } + if $ssh_package_adminfile_real != undef { + validate_absolute_path($ssh_package_adminfile_real) + } + if $sshd_config_use_dns == 'USE_DEFAULTS' { $sshd_config_use_dns_real = $default_sshd_config_use_dns } else { @@ -224,6 +233,9 @@ class ssh ( } else { $ssh_config_forward_x11_trusted_real = $ssh_config_forward_x11_trusted } + if $ssh_config_forward_x11_trusted_real != undef { + validate_re($ssh_config_forward_x11_trusted_real, '^(yes|no)$', "ssh::ssh_config_forward_x11_trusted may be either 'yes' or 'no' and is set to <${ssh_config_forward_x11_trusted_real}>.") + } if $sshd_gssapikeyexchange == 'USE_DEFAULTS' { $sshd_gssapikeyexchange_real = $default_sshd_gssapikeyexchange @@ -243,33 +255,50 @@ class ssh ( $sshd_gssapicleanupcredentials_real = $sshd_gssapicleanupcredentials } - if $ssh_acceptenv == 'USE_DEFAULTS' { - $ssh_acceptenv_real = $default_ssh_acceptenv + if $ssh_sendenv == 'USE_DEFAULTS' { + $ssh_sendenv_real = $default_ssh_sendenv } else { - case type($ssh_acceptenv) { + case type($ssh_sendenv) { 'string': { - validate_re($ssh_acceptenv, '^(true|false)$', "ssh::ssh_acceptenv may be either 'true' or 'false' and is set to <${ssh_acceptenv}>.") - $ssh_acceptenv_real = str2bool($ssh_acceptenv) + validate_re($ssh_sendenv, '^(true|false)$', "ssh::ssh_sendenv may be either 'true' or 'false' and is set to <${ssh_sendenv}>.") + $ssh_sendenv_real = str2bool($ssh_sendenv) } 'boolean': { - $ssh_acceptenv_real = $ssh_acceptenv + $ssh_sendenv_real = $ssh_sendenv } default: { - fail('ssh::ssh_acceptenv type must be true or false.') + fail('ssh::ssh_sendenv type must be true or false.') + } + } + } + + if $sshd_acceptenv == 'USE_DEFAULTS' { + $sshd_acceptenv_real = $default_sshd_acceptenv + } else { + case type($sshd_acceptenv) { + 'string': { + validate_re($sshd_acceptenv, '^(true|false)$', "ssh::sshd_acceptenv may be either 'true' or 'false' and is set to <${sshd_acceptenv}>.") + $sshd_acceptenv_real = str2bool($sshd_acceptenv) + } + 'boolean': { + $sshd_acceptenv_real = $sshd_acceptenv + } + default: { + fail('ssh::sshd_acceptenv type must be true or false.') } } } # validate params if $ssh_config_hash_known_hosts_real != undef { - validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") + validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") } validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.") validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.") validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.") validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.") if $sshd_use_pam_real != undef { - validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") + validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } @@ -281,14 +310,17 @@ class ssh ( } validate_re($sshd_gssapiauthentication, '^(yes|no)$', "ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <${sshd_gssapiauthentication}>.") + if $sshd_gssapikeyexchange_real != undef { - validate_re($sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.") + validate_re($sshd_gssapikeyexchange_real, '^(yes|no)$', "ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <${sshd_gssapikeyexchange_real}>.") } + if $sshd_pamauthenticationviakbdint_real != undef { - validate_re($sshd_pamauthenticationviakbdint_real, '^(yes|no)$', "ssh::sshd_pamauthenticationviakbdint may be either 'yes' or 'no' and is set to <${sshd_pamauthenticationviakbdint_real}>.") + validate_re($sshd_pamauthenticationviakbdint_real, '^(yes|no)$', "ssh::sshd_pamauthenticationviakbdint may be either 'yes' or 'no' and is set to <${sshd_pamauthenticationviakbdint_real}>.") } + if $sshd_gssapicleanupcredentials_real != undef { - validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") + validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.") } case type($hiera_merge) { diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index c2f1f6c..f7aa0ab 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -2,9 +2,8 @@ require 'spec_helper' describe 'ssh' do context 'with default params on osfamily RedHat' do - let :facts do - { - :fqdn => 'monkey.example.com', + let(:facts) do + { :fqdn => 'monkey.example.com', :osfamily => 'RedHat', :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } @@ -26,7 +25,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -39,6 +38,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } + it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -46,7 +46,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/sshd_config', 'owner' => 'root', 'group' => 'root', @@ -73,8 +73,8 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } - it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange no$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange no$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { @@ -98,27 +98,27 @@ describe 'ssh' do context 'with default params on osfamily Solaris kernelrelease 5.8' do let :facts do { - :fqdn => 'monkey.example.com', - :osfamily => 'Solaris', - :kernelrelease => '5.8', - :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.8', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end it 'should fail' do expect { should include_class('ssh') - }.to raise_error(Puppet::Error,/ssh module supports Solaris kernel release 5.9, 5.10 and 5.11./) + }.to raise_error(Puppet::Error,/^ssh module supports Solaris kernel release 5.9, 5.10 and 5.11./) end end context 'with default params on osfamily Solaris kernelrelease 5.11' do let :facts do { - :fqdn => 'monkey.example.com', - :osfamily => 'Solaris', - :kernelrelease => '5.11', - :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end @@ -130,8 +130,8 @@ describe 'ssh' do ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| it { should contain_package(pkg).with({ - 'ensure' => 'installed', - 'source' => '/var/spool/pkg', + 'ensure' => 'installed', + 'source' => '/var/spool/pkg', 'adminfile' => nil, }) } @@ -139,7 +139,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -151,6 +151,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -177,11 +178,11 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) } it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } - it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should contain_service('sshd_service').with({ @@ -204,10 +205,10 @@ describe 'ssh' do context 'with default params on osfamily Solaris kernelrelease 5.10' do let :facts do { - :fqdn => 'monkey.example.com', - :osfamily => 'Solaris', - :kernelrelease => '5.10', - :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.10', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end @@ -218,8 +219,8 @@ describe 'ssh' do ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| it { should contain_package(pkg).with({ - 'ensure' => 'installed', - 'source' => '/var/spool/pkg', + 'ensure' => 'installed', + 'source' => '/var/spool/pkg', 'adminfile' => nil, }) } @@ -227,7 +228,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -239,6 +240,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -265,11 +267,11 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) } it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } - it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should contain_service('sshd_service').with({ @@ -291,11 +293,10 @@ describe 'ssh' do context 'with default params on osfamily Solaris kernelrelease 5.9' do let :facts do - { - :fqdn => 'monkey.example.com', - :osfamily => 'Solaris', - :kernelrelease => '5.9', - :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.9', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end @@ -306,8 +307,8 @@ describe 'ssh' do ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| it { should contain_package(pkg).with({ - 'ensure' => 'installed', - 'source' => '/var/spool/pkg', + 'ensure' => 'installed', + 'source' => '/var/spool/pkg', 'adminfile' => nil, }) } @@ -315,7 +316,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -327,6 +328,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^# This file is being maintained by Puppet.\n# DO NOT EDIT\n\n# \$OpenBSD: ssh_config,v 1.21 2005\/12\/06 22:38:27 reyk Exp \$/) } it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should_not contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -335,7 +337,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/sshd_config', 'owner' => 'root', 'group' => 'root', @@ -353,11 +355,11 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^XAuthLocation \/usr\/openwin\/bin\/xauth$/) } it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/usr\/lib\/ssh\/sftp-server$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } - it { should_not contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv L.*$/) } it { should contain_service('sshd_service').with({ @@ -380,9 +382,9 @@ describe 'ssh' do context 'with default params on osfamily Debian' do let :facts do { - :fqdn => 'monkey.example.com', - :osfamily => 'Debian', - :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + :fqdn => 'monkey.example.com', + :osfamily => 'Debian', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end it { should compile.with_all_deps } @@ -401,7 +403,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -414,6 +416,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } + it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -448,8 +451,8 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } - it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { @@ -494,7 +497,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -507,6 +510,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } + it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -541,8 +545,8 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } - it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { @@ -587,7 +591,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -600,6 +604,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with_content(/^ Protocol 2$/) } it { should contain_file('ssh_config').with_content(/^\s*HashKnownHosts no$/) } it { should contain_file('ssh_config').with_content(/^\s*SendEnv L.*$/) } + it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted yes$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardAgent$/) } it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11$/) } @@ -634,8 +639,8 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } - it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { @@ -698,7 +703,7 @@ describe 'ssh' do it { should contain_file('ssh_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/ssh_config', 'owner' => 'root', 'group' => 'root', @@ -750,7 +755,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with({ - 'ensure' => 'file', + 'ensure' => 'file', 'path' => '/etc/ssh/sshd_config', 'owner' => 'root', 'group' => 'root', @@ -777,8 +782,8 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } - it { should_not contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt yes$/) } - it { should_not contain_file('sshd_config').with_content(/^GSSAPIKeyExchange yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt yes$/) } + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange yes$/) } it { should contain_file('sshd_config').with_content(/^AcceptEnv L.*$/) } it { @@ -826,11 +831,11 @@ describe 'ssh' do it { should contain_file('root_ssh_config').with({ - 'ensure' => 'file', - 'path' => '/root/.ssh/config', - 'owner' => 'root', - 'group' => 'root', - 'mode' => '0600', + 'ensure' => 'file', + 'path' => '/root/.ssh/config', + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0600', }) } end @@ -850,7 +855,7 @@ describe 'ssh' do it 'should fail' do expect { should contain_class('ssh') - }.to raise_error(Puppet::Error,/ssh_config_hash_known_hosts may be either \'yes\' or \'no\' and is set to ./) + }.to raise_error(Puppet::Error,/^ssh::ssh_config_hash_known_hosts may be either \'yes\' or \'no\' and is set to ./) end end @@ -989,16 +994,13 @@ describe 'ssh' do end context 'with sshd_config_banner set to invalid value on valid osfamily' do - let :facts do - { - :fqdn => 'monkey.example.com', + let(:params) { { :sshd_config_banner => 'invalid/path' } } + let(:facts) do + { :fqdn => 'monkey.example.com', :osfamily => 'RedHat', :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end - let :params do - { :sshd_config_banner => 'invalid/path' } - end it 'should fail' do expect { @@ -1008,18 +1010,13 @@ describe 'ssh' do end context 'with sshd_banner_content set and with default value on sshd_config_banner on valid osfamily' do + let(:params) { { :sshd_banner_content => 'textinbanner' } } let :facts do - { - :fqdn => 'monkey.example.com', + { :fqdn => 'monkey.example.com', :osfamily => 'RedHat', :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end - let :params do - { - :sshd_banner_content => 'textinbanner' - } - end it 'should fail' do expect { @@ -1030,16 +1027,13 @@ describe 'ssh' do context 'with ssh_config_sendenv_xmodifiers set to invalid type, array' do + let(:params) { { :ssh_config_sendenv_xmodifiers => ['invalid','type'] } } let :facts do - { - :fqdn => 'monkey.example.com', + { :fqdn => 'monkey.example.com', :osfamily => 'RedHat', :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' } end - let :params do - { :ssh_config_sendenv_xmodifiers => ['invalid','type'] } - end it 'should fail' do expect { @@ -1215,4 +1209,460 @@ describe 'ssh' do end end end + + describe 'with ssh_package_adminfile parameter specified' do + context 'as a valid path' do + let(:params) { { :ssh_package_adminfile => '/var/tmp/admin' } } + let :facts do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| + it { + should contain_package(pkg).with({ + 'ensure' => 'installed', + 'source' => '/var/spool/pkg', + 'adminfile' => '/var/tmp/admin', + }) + } + end + end + + context 'as an invalid path' do + let(:params) { { :ssh_package_adminfile => 'invalid/path' } } + let :facts do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^is not an absolute path/) } + end + end + end + + describe 'with sshd_config_xauth_location parameter specified' do + context 'as a valid path' do + let(:params) { { :sshd_config_xauth_location => '/opt/ssh/bin/xauth' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) } + end + + context 'as an invalid path' do + let(:params) { { :sshd_config_xauth_location => 'invalid/path' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^is not an absolute path/) } + end + end + + context 'as an invalid type' do + let(:params) { { :sshd_config_xauth_location => true } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error) } + end + end + end + + describe 'with ssh_package_source parameter specified' do + context 'as a valid path' do + let(:params) { { :ssh_package_source => '/mnt/packages' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| + it { + should contain_package(pkg).with({ + 'ensure' => 'installed', + 'source' => '/mnt/packages', + 'adminfile' => nil, + }) + } + end + end + + context 'as an invalid path' do + let(:params) { { :ssh_package_source => 'invalid/path' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^is not an absolute path/) } + end + end + + context 'as an invalid type' do + let(:params) { { :ssh_package_source => true } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error) } + end + end + end + + describe 'with parameter ssh_config_forward_x11_trusted' do + ['yes','no'].each do |value| + context "specified as #{value}" do + let(:params) { { :ssh_config_forward_x11_trusted => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted #{value}$/) } + end + end + + context 'not specified' do + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should_not contain_file('ssh_config').with_content(/^\s*ForwardX11Trusted/) } + end + + ['YES',true].each do |value| + context "specified an invalid value #{value}" do + let(:params) { { :ssh_config_forward_x11_trusted => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::ssh_config_forward_x11_trusted may be either 'yes' or 'no' and is set to <#{value}>./) } + end + end + end + end + + describe 'with parameter sshd_gssapiauthentication' do + ['yes','no'].each do |value| + context "specified as #{value}" do + let(:params) { { :sshd_gssapiauthentication => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication #{value}$/) } + end + end + + ['YES',true].each do |value| + context "specified an invalid value #{value}" do + let(:params) { { :sshd_gssapiauthentication => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::sshd_gssapiauthentication may be either 'yes' or 'no' and is set to <#{value}>./) } + end + end + end + end + + describe 'with parameter sshd_gssapikeyexchange' do + ['yes','no'].each do |value| + context "specified as #{value}" do + let(:params) { { :sshd_gssapikeyexchange => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('sshd_config').with_content(/^GSSAPIKeyExchange #{value}$/) } + end + end + + context 'not specified' do + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPIKeyExchange/) } + end + + ['YES',true].each do |value| + context "specified an invalid value #{value}" do + let(:params) { { :sshd_gssapikeyexchange => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::sshd_gssapikeyexchange may be either 'yes' or 'no' and is set to <#{value}>./) } + end + end + end + end + + describe 'with parameter sshd_pamauthenticationviakbdint' do + ['yes','no'].each do |value| + context "specified as #{value}" do + let(:params) { { :sshd_pamauthenticationviakbdint => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('sshd_config').with_content(/^PAMAuthenticationViaKBDInt #{value}$/) } + end + end + + context 'not specified' do + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should_not contain_file('sshd_config').with_content(/^\s*PAMAuthenticationViaKBDInt/) } + end + + ['YES',true].each do |value| + context "specified an invalid value #{value}" do + let(:params) { { :sshd_pamauthenticationviakbdint => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::sshd_pamauthenticationviakbdint may be either 'yes' or 'no' and is set to <#{value}>./) } + end + end + end + end + + describe 'with parameter sshd_gssapicleanupcredentials' do + ['yes','no'].each do |value| + context "specified as #{value}" do + let(:params) { { :sshd_gssapicleanupcredentials => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials #{value}$/) } + end + end + + context 'not specified' do + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'Solaris', + :kernelrelease => '5.11', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should_not contain_file('sshd_config').with_content(/^\s*GSSAPICleanupCredentials/) } + end + + ['YES',true].each do |value| + context "specified an invalid value #{value}" do + let(:params) { { :sshd_gssapicleanupcredentials => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <#{value}>./) } + end + end + end + end + + describe 'with parameter ssh_sendenv specified' do + ['true',true].each do |value| + context "as #{value}" do + let(:params) { { :ssh_sendenv => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('ssh_config').with_content(/^\s*SendEnv/) } + end + end + + ['false',false].each do |value| + context "as #{value}" do + let(:params) { { :ssh_sendenv => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should_not contain_file('ssh_config').with_content(/^\s*SendEnv/) } + end + end + + context 'as an invalid string' do + let(:params) { { :ssh_sendenv => 'invalid' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::ssh_sendenv may be either 'true' or 'false' and is set to ./) } + end + end + + context 'as an invalid type' do + let(:params) { { :ssh_sendenv => ['invalid','type'] } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::ssh_sendenv type must be true or false./) } + end + end + end + + describe 'with parameter sshd_acceptenv specified' do + ['true',true].each do |value| + context "as #{value}" do + let(:params) { { :sshd_acceptenv => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should contain_file('sshd_config').with_content(/^\s*AcceptEnv/) } + end + end + + ['false',false].each do |value| + context "as #{value}" do + let(:params) { { :sshd_acceptenv => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { should_not contain_file('sshd_config').with_content(/^\s*AcceptEnv/) } + end + end + + context 'as an invalid string' do + let(:params) { { :sshd_acceptenv => 'invalid' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::sshd_acceptenv may be either 'true' or 'false' and is set to ./) } + end + end + + context 'as an invalid type' do + let(:params) { { :sshd_acceptenv => ['invalid','type'] } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::sshd_acceptenv type must be true or false./) } + end + end + end end diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 0e7981d..71253ae 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -65,7 +65,7 @@ Host * <% if @ssh_config_server_alive_interval != nil -%> ServerAliveInterval <%= @ssh_config_server_alive_interval %> <% end -%> -<% if @ssh_acceptenv_real == true -%> +<% if @ssh_sendenv_real == true -%> # Send locale-related environment variables SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 576ed29..68c1395 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -65,11 +65,11 @@ PermitRootLogin <%= @permit_root_login %> PasswordAuthentication <%= @sshd_password_authentication %> <% if @sshd_pamauthenticationviakbdint_real != nil -%> # Use PAM via keyboard interactive method for authentication. -# # Depending on the setup of pam.conf(4) this may allow tunneled clear text -# # passwords even when PasswordAuthentication is set to no. This is dependent -# # on what the individual modules request and is out of the control of sshd -# # or the protocol. -PAMAuthenticationViaKBDInt yes +# Depending on the setup of pam.conf(4) this may allow tunneled clear text +# passwords even when PasswordAuthentication is set to no. This is dependent +# on what the individual modules request and is out of the control of sshd +# or the protocol. +PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %> <% end -%> #PermitEmptyPasswords no @@ -107,7 +107,7 @@ GSSAPICleanupCredentials <%= @sshd_gssapicleanupcredentials_real %> UsePAM <%= @sshd_use_pam_real %> <% end -%> -<% if @ssh_acceptenv_real == true -%> +<% if @sshd_acceptenv_real == true -%> # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT From 965bc661d09a33a23a207c3e9860cb26d7f1ca70 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Thu, 27 Feb 2014 20:03:52 -0500 Subject: [PATCH 05/11] exported sshkey does not require ssh package This is necessary because of a bug with PuppetDB. Without this patch you will get invalid relationship errors. --- manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 51aec4e..6f06a7c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -471,7 +471,6 @@ class ssh ( ensure => $ssh_key_ensure, type => $ssh_key_type, key => $key, - require => Package[$packages_real], } # import all nodes' ssh keys From 0523bac29a3c506187d221af3710a55adb2cdffa Mon Sep 17 00:00:00 2001 From: Mark Nalyanya Date: Fri, 28 Feb 2014 16:06:18 +0100 Subject: [PATCH 06/11] Fix service hasstatus for Solaris 9 --- README.md | 4 ++-- manifests/init.pp | 32 +++++++++++++++++++++++++++----- spec/classes/init_spec.rb | 2 +- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 6d04fd2..3bbb4c1 100644 --- a/README.md +++ b/README.md @@ -346,9 +346,9 @@ Specify that the init script has a restart command. Valid values are 'true' and service_hasstatus ----------------- -Declare whether the service's init script has a functional status command. Valid values are 'true' and 'false' +Boolean to declare whether the service's init script has a functional status command. -- *Default*: 'true' +- *Default*: 'USE_DEFAULTS' ssh_key_ensure -------------- diff --git a/manifests/init.pp b/manifests/init.pp index 6f06a7c..e0063c5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -52,7 +52,7 @@ class ssh ( $service_name = 'USE_DEFAULTS', $service_enable = 'true', $service_hasrestart = 'true', - $service_hasstatus = 'true', + $service_hasstatus = 'USE_DEFAULTS', $ssh_key_ensure = 'present', $ssh_key_type = 'ssh-rsa', $keys = undef, @@ -78,7 +78,8 @@ class ssh ( $default_sshd_gssapikeyexchange = undef $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' - $default_sshd_acceptenv = true + $default_sshd_acceptenv = true + $default_service_hasstatus = true } 'Suse': { $default_packages = 'openssh' @@ -96,6 +97,7 @@ class ssh ( $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true + $default_service_hasstatus = true case $::architecture { 'x86_64': { $default_sshd_config_subsystem_sftp = '/usr/lib64/ssh/sftp-server' @@ -126,6 +128,7 @@ class ssh ( $default_sshd_pamauthenticationviakbdint = undef $default_sshd_gssapicleanupcredentials = 'yes' $default_sshd_acceptenv = true + $default_service_hasstatus = true } 'Solaris': { $default_packages = ['SUNWsshcu', @@ -149,10 +152,12 @@ class ssh ( $default_sshd_acceptenv = false case $::kernelrelease { '5.10','5.11': { - $default_service_name = 'ssh' + $default_service_name = 'ssh' + $default_service_hasstatus = true } '5.9' : { - $default_service_name = 'sshd' + $default_service_name = 'sshd' + $default_service_hasstatus = false } default: { fail('ssh module supports Solaris kernel release 5.9, 5.10 and 5.11.') @@ -289,6 +294,23 @@ class ssh ( } } + if $service_hasstatus == 'USE_DEFAULTS' { + $service_hasstatus_real = $default_service_hasstatus + } else { + case type($service_hasstatus) { + 'string': { + validate_re($service_hasstatus, '^(true|false)$', "ssh::service_hasstatus may be either 'true' or 'false' and is set to <${service_hasstatus}>.") + $service_hasstatus_real = str2bool($service_hasstatus) + } + 'boolean': { + $service_hasstatus_real = $service_hasstatus + } + default: { + fail('ssh::service_hasstatus type must be true or false.') + } + } + } + # validate params if $ssh_config_hash_known_hosts_real != undef { validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.") @@ -454,7 +476,7 @@ class ssh ( name => $service_name_real, enable => $service_enable, hasrestart => $service_hasrestart, - hasstatus => $service_hasstatus, + hasstatus => $service_hasstatus_real, subscribe => File['sshd_config'], } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index f7aa0ab..e4b3194 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -367,7 +367,7 @@ describe 'ssh' do 'name' => 'sshd', 'enable' => 'true', 'hasrestart' => 'true', - 'hasstatus' => 'true', + 'hasstatus' => 'false', 'subscribe' => 'File[sshd_config]', }) } From b3c2cd78867e09005f5b9879cf8724a9063a8c5c Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Fri, 28 Feb 2014 18:43:17 -0500 Subject: [PATCH 07/11] Fix Mark's commit to support Solaris 9 --- manifests/init.pp | 4 +-- spec/classes/init_spec.rb | 53 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index e0063c5..8a5c3ed 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -299,14 +299,14 @@ class ssh ( } else { case type($service_hasstatus) { 'string': { - validate_re($service_hasstatus, '^(true|false)$', "ssh::service_hasstatus may be either 'true' or 'false' and is set to <${service_hasstatus}>.") + validate_re($service_hasstatus, '^(true|false)$', "ssh::service_hasstatus must be 'true' or 'false' and is set to <${service_hasstatus}>.") $service_hasstatus_real = str2bool($service_hasstatus) } 'boolean': { $service_hasstatus_real = $service_hasstatus } default: { - fail('ssh::service_hasstatus type must be true or false.') + fail('ssh::service_hasstatus must be true or false.') } } } diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index e4b3194..514658c 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1665,4 +1665,57 @@ describe 'ssh' do end end end + + describe 'with parameter service_hasstatus' do + ['true',true,'false',false].each do |value| + context "specified as #{value}" do + let(:params) { { :service_hasstatus => value } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it { + should contain_service('sshd_service').with({ + 'ensure' => 'running', + 'name' => 'sshd', + 'enable' => 'true', + 'hasrestart' => 'true', + 'hasstatus' => value, + 'subscribe' => 'File[sshd_config]', + }) + } + end + end + + context 'specified as an invalid string' do + let(:params) { { :service_hasstatus => 'invalid' } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::service_hasstatus must be 'true' or 'false' and is set to ./) } + end + end + + context 'specified as an invalid type' do + let(:params) { { :service_hasstatus => ['invalid','type'] } } + let(:facts) do + { :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + + it 'should fail' do + expect { should raise_error(Puppet::Error,/^ssh::service_hasstatus must be true or false./) } + end + end + end end From 814b9bc972c9924f174b286d67a6962f0507718c Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Fri, 28 Feb 2014 18:55:00 -0500 Subject: [PATCH 08/11] Release v3.7.0 - Support for Solaris 9, 10, and 11. --- Modulefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modulefile b/Modulefile index 7cf7e33..833d5e1 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'ghoneycutt-ssh' -version '3.6.1' +version '3.7.0' source 'git://github.com/ghoneycutt/puppet-module-ssh.git' author 'ghoneycutt' license 'Apache License, Version 2.0' From 9792b269bdf418e0a514bd12f13628debe8b429d Mon Sep 17 00:00:00 2001 From: Mike Lehner Date: Tue, 1 Apr 2014 20:12:35 -0400 Subject: [PATCH 09/11] Added ClientAliveCountMax config parameter --- README.md | 16 ++++++++++++++++ manifests/init.pp | 2 ++ spec/classes/init_spec.rb | 25 +++++++++++++++++++++++++ templates/sshd_config.erb | 2 +- 4 files changed, 44 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3bbb4c1..0233929 100644 --- a/README.md +++ b/README.md @@ -242,6 +242,22 @@ This option applies to protocol version 2 only. - *Default*: '0' +sshd_client_alive_count_max +-------------------------- +ClientAliveCountMax in sshd_config. +Sets the number of client alive messages (see below) which may be sent without sshd(8) +receiving any messages back from the client. If this threshold is reached while client alive +messages are being sent, sshd will disconnect the client, terminating the session. It is +important to note that the use of client alive messages is very different from TCPKeepAlive +(below). The client alive messages are sent through the encrypted channel and therefore will +not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client +alive mechanism is valuable when the client or server depend on knowing when a connection has +become inactive. The default value is 3. If ClientAliveInterval (see below) is set to 15, +and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected +after approximately 45 seconds. This option applies to protocol version 2 only. + +- *Default*: '3' + keys ---- Hash of keys for user's ~/.ssh/authorized_keys diff --git a/manifests/init.pp b/manifests/init.pp index 8a5c3ed..60ae22c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -42,6 +42,7 @@ class ssh ( $sshd_allow_tcp_forwarding = 'yes', $sshd_x11_forwarding = 'yes', $sshd_use_pam = 'USE_DEFAULTS', + $sshd_client_alive_count_max = '3', $sshd_client_alive_interval = '0', $sshd_gssapiauthentication = 'yes', $sshd_gssapikeyexchange = 'USE_DEFAULTS', @@ -323,6 +324,7 @@ class ssh ( validate_re($sshd_use_pam_real, '^(yes|no)$', "ssh::sshd_use_pam may be either 'yes' or 'no' and is set to <${sshd_use_pam_real}>.") } if is_integer($sshd_client_alive_interval) == false { fail("ssh::sshd_client_alive_interval must be an integer and is set to <${sshd_client_alive_interval}>.") } + if is_integer($sshd_client_alive_count_max) == false { fail("ssh::sshd_client_alive_count_max must be an integer and is set to <${sshd_client_alive_count_max}>.") } if $sshd_config_banner != 'none' { validate_absolute_path($sshd_config_banner) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 514658c..7cd5cd0 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -70,6 +70,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } @@ -448,6 +449,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } @@ -542,6 +544,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } @@ -636,6 +639,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding yes$/) } it { should contain_file('sshd_config').with_content(/^UsePAM yes$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 0$/) } + it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 3$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } @@ -748,6 +752,7 @@ describe 'ssh' do :sshd_x11_forwarding => 'no', :sshd_use_pam => 'no', :sshd_client_alive_interval => '242', + :sshd_client_alive_count_max => '0', } end @@ -779,6 +784,7 @@ describe 'ssh' do it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) } it { should contain_file('sshd_config').with_content(/^UsePAM no$/) } it { should contain_file('sshd_config').with_content(/^ClientAliveInterval 242$/) } + it { should contain_file('sshd_config').with_content(/^ClientAliveCountMax 0$/) } it { should contain_file('sshd_config').with_content(/^GSSAPIAuthentication yes$/) } it { should contain_file('sshd_config').with_content(/^GSSAPICleanupCredentials yes$/) } it { should contain_file('sshd_config').with_content(/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/) } @@ -993,6 +999,25 @@ describe 'ssh' do end end + context 'with sshd_client_alive_count_max set to invalid value on valid osfamily' do + let :facts do + { + :fqdn => 'monkey.example.com', + :osfamily => 'RedHat', + :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ==' + } + end + let :params do + { :sshd_client_alive_count_max => 'invalid' } + end + + it 'should fail' do + expect { + should contain_class('ssh') + }.to raise_error(Puppet::Error,/^ssh::sshd_client_alive_count_max must be an integer and is set to \./) + end + end + context 'with sshd_config_banner set to invalid value on valid osfamily' do let(:params) { { :sshd_config_banner => 'invalid/path' } } let(:facts) do diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 68c1395..a5f79e4 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -130,7 +130,7 @@ PrintMotd <%= @sshd_config_print_motd %> #Compression delayed #ClientAliveInterval 0 ClientAliveInterval <%= @sshd_client_alive_interval %> -#ClientAliveCountMax 3 +ClientAliveCountMax <%= @sshd_client_alive_count_max %> #ShowPatchLevel no <% if @sshd_config_use_dns_real != nil -%> #UseDNS yes From 96872c58320fa5a8adb5178f0d51326b669edd34 Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Wed, 2 Apr 2014 11:09:43 +0200 Subject: [PATCH 10/11] Release v3.8.0 - Manages ClientAliveCountMax in sshd_config Thanks to mlehner616 for his contribution --- Modulefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modulefile b/Modulefile index 833d5e1..7fb1678 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'ghoneycutt-ssh' -version '3.7.0' +version '3.8.0' source 'git://github.com/ghoneycutt/puppet-module-ssh.git' author 'ghoneycutt' license 'Apache License, Version 2.0' From 9d4af6156a2c2145865b22b7c2dff22504ac797d Mon Sep 17 00:00:00 2001 From: Garrett Honeycutt Date: Thu, 3 Apr 2014 14:00:36 +0200 Subject: [PATCH 11/11] Update spec tests to use contain_class as include_class is deprecated --- spec/classes/init_spec.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 7cd5cd0..0277ed9 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -108,7 +108,7 @@ describe 'ssh' do it 'should fail' do expect { - should include_class('ssh') + should contain_class('ssh') }.to raise_error(Puppet::Error,/^ssh module supports Solaris kernel release 5.9, 5.10 and 5.11./) end end @@ -123,9 +123,9 @@ describe 'ssh' do } end - it { should include_class('ssh')} + it { should contain_class('ssh')} - it { should_not include_class('common')} + it { should_not contain_class('common')} ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| @@ -213,9 +213,9 @@ describe 'ssh' do } end - it { should include_class('ssh')} + it { should contain_class('ssh')} - it { should_not include_class('common')} + it { should_not contain_class('common')} ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| it { @@ -301,9 +301,9 @@ describe 'ssh' do } end - it { should include_class('ssh')} + it { should contain_class('ssh')} - it { should_not include_class('common')} + it { should_not contain_class('common')} ['SUNWsshcu','SUNWsshdr','SUNWsshdu','SUNWsshr','SUNWsshu'].each do |pkg| it {